Automating Security in DevOps Pipelines...• Code your Infrastructure –eliminate access to...
Transcript of Automating Security in DevOps Pipelines...• Code your Infrastructure –eliminate access to...
1CONFIDENTIAL
Automating Security in DevOps Pipelines
DJ Schleen, Security Architect, Aetna
@dschleen
SANS Secure DevOps Summit and Training
October 10, 2017
2CONFIDENTIAL
Healthier Lifestyles
• Helping our customers and our community live
healthier lifestyles since 1853
• In 1954, Aetna ordered our first computer – an IBM
650
• Acquisitions and affiliates:
• Medicity in 2011
• iTriage in 2011
• Coventry in 2013
• bswift in 2014
• Many many others…
• Some affiliates have been practicing DevOps since
their inception – without knowing it
3CONFIDENTIAL
What does DevOps Mean
for Security?
4CONFIDENTIAL Image CC BY-SA 3.0 Nick Youngson
5CONFIDENTIAL5
An Unprecedented Opportunity
@dschleen
• Everyone supports the goals of the Business
• Automation and Tool Adoption
• Creativity, Collaboration and innovation
• Repeatable Processes
• Resiliency/Scalability
• Continual Feedback
• Anyone can commit to production – as fast as possible
• Application as Code / Infrastructure as Code / Security as Code
• Reduction of production operational impacts
• Easily auditable processes
• React Quickly to Software Vulnerabilities and their remediation
DevOps supports the
vision of a continuous
delivery culture, and the
addition of security
controls into an
automated environment.
6CONFIDENTIAL
success = people * process * tools
7CONFIDENTIAL
Program Overview
Aetna’s Current State Aetna’s Future State
SDLC • APLC, SAFe, SRWs • DevOps
Security findings
• Software defect management is separate from
Security findings
• Security findings not part of the SDA data mart
• Consistent and real time defect Management
• Powerful data and analytics to drive down defect
density, improve security posture, and identify
threats
People
Enhance current CBTs
Engage Security Champions
Cross train Security staff
Engage APLC / Agile teams
Process
Establish Gates
Defect Management
Risk Management
Real time KPI
Governance
Technology
ARA – Threat Modeling
Static Analysis / Open Source Security
Dynamic Analysis / Ethical Hacking
Container Security
Run time protectionInvest in QA Maven program
Investing in People …will yield significant benefits
…and will result in an improved security posture
8CONFIDENTIAL
Investing in our People
Value: Ensuring a trained and motivated security community is critical to successfully implementing security in a DevOps process
Attack & Educate
• Attack & Educate forums have been very well attended. Continue hosting these sessions
• Invite DevOps teams to educate the Security maven community on security related initiatives
Security Maven
• Security Mavens can share information if there are easy ways to collaborate. Improve the SSG site on Jive and other enterprise platforms
• Restart the SSG Newsletter
CBT
• Re-evaluate all the current CBTs to ensure content is current.
• Continue supporting the Security Maven Belt program
ILT
• Offer a comprehensive instructor led class on security aspects of DevOps
9CONFIDENTIAL
Building Security into the Process
Value: Ensuring a process where security artifacts are built into the SDLC is critical in ensuring the delivery of secure software across the enterprise
SDLC gates
• Establishing security gates in the DevOps process is critical in ensuring that security tests pass prior to code being promoted to following stages
• APLC teams must be engaged to ensure that gates are understood and enforced uniformly
Defect Management
• Transparent defect management ensures timely mitigation of security defects
• Security defects must be triaged like any other software defect A common defect management dashboard must be developed
Real time KPIs
• Generation of real time KPIs gives application teams visibility into the current risk posture of their applications
• Global security will be able to make immediate judgement on risk decisions
Security Architecture
• A comprehensive security architecture standard that addresses current acceptable architectures ensures faster decisions
• Security Architecture will be able to anticipate any upcoming technologies and fund POCs.
10CONFIDENTIAL
Specialized Security Tools
Value: While the principles of software security is the same, there are significant differences in technology stacks and the tools we must support to secure each stack.
Open Source
• Open Source Software Management Program has been implemented. Javascript, Java and PHP are currently supported. ~200 applications onboarded
• Plugin to Jenkins has been implemented.
Static Analysis
• IDE Based tools used effectively throughout the enterprise.
• Centralized SAST offers broad language support with more coverage
Dynamic Analysis
• Automated triggers when new applications hit staging and production
• Continuous nightly scans
• Output exported and injected into our WAF
Ethical Hacking
• Ethical hacking is an intentionally manual test that can take ~2 weeks to complete.
• Continues investment in training staff to keep up testing capabilities.
Container Security
• Implemented toolsets to ensure security of the containers
• Notarization and cryptographic signatures
• Policy Governance
• Evaluating RASP tools to ensure application layer security and enable faster promotion to production
11CONFIDENTIAL
Security in the pipeline…
12CONFIDENTIAL12
What are our Goals?
@dschleen
• Integrate Security knowledge and Secure coding practices into our DevOps
teams
• Expand the traditional cultural mindset of Security Teams and start getting our
hands dirty by coding
• To not just ”automate the scan button”
• Ensure that software passes through a well defined and automated set of
gateways that assess code security
• Utilize automation to stop or pause the delivery pipeline when critical
vulnerabilities are detected or manual intervention is necessary.
• Provide development teams with not just vulnerability information, but with
actionable remediation guidance
• To not forget about software after production deployments. You are only as
good as your last security assessment
Security pros need to
code too! Code your
security into the pipeline
and go enjoy a cold
beer with the #DevOps
peeps.
#SecurityAsCode #IaC
13CONFIDENTIAL
Is Agile “agile” enough?
Cycle Time: Weeks - Months
Cycle Time: Minutes - Hours
10 – 20 Releases
Your imagination is
the limit...
Plan Deploy Operate
Plan
Learn
Agile
DevOps
…Design
Build
Test
Deploy
Operate Design
Build
Test
Deploy
Operate
Design
Build
TestDesign
Build
Test
Learn
KPI@dschleen
The faster you can deploy to production, the quicker you can
remediate critical vulnerabilities and zero days
14CONFIDENTIAL
Faster Cycle Times, Increased Flow
Backlog
Design
Build
Test
Deploy
Operate
Generate near Real Time
KPIs for complete
transparency
Continuous
Threat Modelling
Manual Testing
Automated Testing
Icon made by Google from www.flaticon.com
CI & IDE Integrated Security Tools and Controls: Support both Static Analysis and Open Source Analysis
Embed controls into the applications/platforms
• Runtime Application Self-Protection (RASP)
• Container Security
Manual Security Testing (out of band)
• Dynamic Assessment
• Ethical Hacking
• App Red Team
Automated Security Testing (in band)
• Automated SAST/DAST, etc.
Pause if necessary, stop if mandatory,
minimize manual intervention
15CONFIDENTIAL
A *moment* in the life of a feature
Icons made by FreePik and VectorsMarket from www.flaticon.com
ProductionIdea
Work Item
Threat Model
Design
Architecture
Code Application
Code Infrastructure
SCM
BuildTest
Automated Tests
SAST
OSS Testing
Staging
DAST
Ethical Hacking
Acceptance Packaging Vulnerability Scan
LIVE
Duration: Minutes to Hours
Communication, KPI Gathering and Reporting
Acceptance
Manual,
Automated, or
Both
Deployment
@dschleen
Container Cycling
Binary Scrambling
WAF/Shield
Registry
16CONFIDENTIAL
...coding Security in without disruption
17CONFIDENTIAL
Challenges
• Integration of Security tools in a manner that supports
objectives for actionable continuous feedback
• Choosing the toolsets that provide as least disruption as
possible to DevOps teams.
• Extracting the proper KPI’s and indicators from the process
and making them actionable.
• Tailoring the People, Process, and Tooling to unique
environments
• Evolving the habits of 3,500+ developers
• Traditional infrastructure mindsets. There’s a new way of
doing things
• Multiple “flavors” of DevOps in different parts of the
organization
18CONFIDENTIAL18
Key Takeaways
• Don’t fear deploying rapidly and often into production.
• Always gather information in the form of KPIs and make them ACTIONABLE
• Support the organization with tools, techniques, and best practices
• Automate. EVERYTHING.
• Defects are defects - regardless if they are a code defect or security
vulnerability.
• Code your Infrastructure – eliminate access to physical or cloud based
machines
• Choose tools that interfere minimally with flow. Manual tasks like penetration
testing should be done out of band
• People turn dreams into reality
@dschleen
Use automation to
enable traceability of
production bound
features and
deliverables.
Thank you!
@dschleen